Relayed network address translator (NAT) traversal

ABSTRACT

Network Address Translator (NAT) traversal is performed for a host located behind the NAT running a server, e.g., an HTTP server, using a relay server and a redirect server. The host (of the HTTP server) located behind the NAT uses a NAT-discovery process to determine the presence of the interposed NAT. Seamless IP communication over the IP network is provided using a Dynamic DNS (DDNS) system that is updated using a user registration database, which contains information about the presence or absence of a NAT relative to the HTTP server.

BACKGROUND OF THE INVENTION

[0001] In the last decade, the number of computers connected to theInternet has increased by an enormous order of magnitude. High growth inthe number of Internet connections has put severe pressure on theavailable address-space of routable internet protocol (IP) addresses. Toovercome the problem of limited and diminishing IP address-space, itbecame imperative to have a solution that would allow multiple users toshare a single routable internet address. The commonly used solution forsharing a single IP address is known as a Network Address Translator(NAT). Operation of a typical NAT is described next.

[0002] The basic concept underlying a NAT is to have a device orsoftware module that allows sharing of one or more routable InternetProtocol (IP) addresses by multiple computers. A typical NAT isconnected to the public internet on one side and has at least one globalor public IP address for receiving and sending data packets from and tothe public internet. On the other side of the typical NAT is a privatenetwork, in which each network node (computer) is assigned a localarbitrary addresses. Typically, the NAT assigns arbitrary addresses tothe nodes of the private network using a Dynamic host Control Protocol(DHCP) or alternatively the NAT assigns static translation addresses.

[0003] The NAT provides a convenient way of providing shared andtransparent communication between the public internet and the computers(attached to a private network) having a non-globally-unique IP address,i.e., an IP address that is not globally-unique. However, not all formsof communications are operable over NAT. Many types of applicationsrequire a globally-unique IP address as a termination point or requireIP address consistency over the whole communication cycle. For example,an IP enabled phone will typically require a globally-unique IP addressto receive and send voice-transmission using the IP. Presence of a NATat the receiving end of the IP phone call may block the receiver fromreceiving the phone IP packets.

[0004] The presence of NATs in a network poses another type of problemas described next. There is no simple and convenient way to access aserver type of device located behind a NAT from the public internet sideof the NAT. For example, if a Hypertext Transfer Protocol (HTTP)webserver is located behind a NAT, then it has a private address whichis invisible to the outside world through the public internet. On thecontrary, a typical webserver, e.g., an HTTP server, which is not behinda NAT is readily accessible from the public internet if it has an IPaddress that can be resolved using common methods like the Domain NameSystem (DNS).

[0005] Typically, an HTTP server on a host is assumed to use the defaultport number, namely 80, for a host. An advantage of this arrangement isthat the user of the browser does not need to designate a port number inaddition to the address of the host because the default port number willbe assumed. Because of the prevalence of Domain Name System (DNS)servers and dynamic DNS (DDNS) servers, most users of browsers do notunderstand that a domain name, e.g., www.name.com, represents auniversal resource locator (URL), which is a long string of numbers.Moreover, most users of browsers have no understanding that a domainname of an HTTP server maps to a port number of the host as well as anaddress of the host because most users have never had to provide a portnumber.

[0006] TCP/IP allows multiple applications to run on a single computerusing a variety of port numbers. When a NAT is used by a private networkto share an IP address, then the port addresses are shielded behind theNAT from the outside network. This situation can be further complicatedby presence of a firewall with a security policy that does not allowaccess to specific ports of the computers on the private network asdescribed next.

[0007] A port-forwarding solution creates a “tunnel” through thefirewall so that that external users from the public internet can accessa specific computer in the private network using the designated port forthe tunnel. Typically, a port forwarding solution has a maximum numberof about five forwarded port entries. But many applications likenetwork-gaming, instant messaging and collaboration software may requireaccess to previously “unopened” specific TCP/UDP ports from the externalpublic internet. Creating all the required tunnels for such applicationscan be an impractical task for a typical user, since the tunnelconfiguration process can be complicated and confusing. Port forwardingis typically a kind of functionality provided by a router, hence ittypically raises a need for a specific router that has an inbuilt portforwarding capability.

[0008] The presence of NAT may not affect the network much if thetransport connections are initiated from the clients that are behind theNAT. But if a server is located behind a NAT, then IP requestsoriginating from the public network may not be able to access the serverdue to the presence of NAT. An approach to solve this problem, and itsdrawbacks are discussed next. In a Dynamic Domain Name System (DDNS) theusers attempting to access a server located behind a NAT using a FullyQualified Domain Name (FQDN) may face problems. Such problems resultfrom the situation when a server or device behind a NAT is assigned aprivate IP address by a NAT which is invisible. A DDNS trying to routepackets to an IP address due to a FQDN access request will fail sincethe NAT-assigned private address is invisible to the public internetside of the NAT.

[0009] One approach to get around the NAT restrictions is called DMZ (anacronym for De-Militarized Zone) which allows a given machine behind aNAT to be directly connected to the internet, without compromisingsecurity of other machines in the network. DMZ allows a machine behindthe NAT to operate as if it is directly connected to the internet. DMZ,like port forwarding discussed above, can be confusing to configure fora typical user, since it requires user expertise to configure it. Thoseskilled in the art will appreciate that DMZ cannot be used to open-upall machines of a network to the public internet. DMZ exposes a givenmachine to all the vulnerabilities that are associated with a directconnection to the internet, since it overrides the firewall protection.Hence, neither DMZ nor port forwarding is a satisfactory solution to theproblem of transparent NAT traversal that requires no or minimum usereffort to implement.

[0010] Universal Plug-and-Play (UPnP) is another method for NATtraversal. UPnP can provide the public IP address to the client behindthe NAT. Like port forwarding, UPnP facilities are typically provided bythe router itself. But the drawback of this approach lies in the specialhardware requirement in the form of a router that is UPnP compliant.

[0011] Attempts have been made to define protocols for solving the NATtraversal problem described above. For example, protocols like TURN(Traversal Using Relay NAT), STUN (Simple Traversal of UDP through NAT),SPAN-A (Simple Protocol for Augmenting NATs), etc., provide an approachthat does not require routers to have specific functionality ofsupporting NAT traversal. However, the above protocols have their owndrawbacks. STUN can detect the presence of a NAT and the type of NAT.However, the STUN protocol by itself does not allow applications usingHTTP protocol to overcome NAT traversal issues. TURN or SPAN-A protocolsallocate a TCP listener on the relay server to relay incoming packetsfrom one point to another, but do not address the problem of how anapplication can operate using NAT traversal.

SUMMARY OF THE INVENTION

[0012] A host running an HTTP server behind a Network Address Translator(NAT) connected to an IP network uses a NAT-discovery process, e.g., aSTUN test, to determine the presence of the NAT. The host updatesinformation in a redirect server based on the response of a relayserver. An HTTP client host initiates a DNS query which connects it tothe redirect server. The HTTP client host sends an HTTP request to theredirect server, which in turn redirects the HTTP request to a port onthe packet relay server. The packet relay server relays the HTTP requestto the HTTP server behind the NAT, which generates an HTTP response thatis relayed back to the HTTP client. Seamless communication in a IPnetwork is made possible by using a DDNS server that is updated using auser registration database. The IP network may have hosts located behindNATs and hosts that are directly connected to the IP network.

[0013] Further areas of applicability of the present invention willbecome apparent from the detailed description provided hereinafter. Itshould be understood that the detailed description and specificexamples, while indicating the preferred embodiment of the invention,are intended for purposes of illustration only and are not intended tolimit the scope of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

[0014] The present invention will become more fully understood from thedetailed description and the accompanying drawings, wherein:

[0015]FIG. 1 shows a network configuration according to an embodiment ofthe present invention;

[0016]FIG. 2 is a sequence diagram of operations according to anembodiment of the present invention; and

[0017]FIG. 3 is an association diagram between a Dynamic DNS (DDNS) anda redirect Server according to an embodiment of the present invention.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

[0018] The following description of the example embodiment(s) is merelyexemplary in nature and is in no way intended to limit the invention,its application, or uses.

[0019]FIG. 1 shows a network configuration 10 according to an embodimentof the present invention. Network configuration 10 includes a public IPnetwork 12 that can be, e.g., the Internet.

[0020] Included as being attached to the public network 12 are: a packetrelay server 20, a NAT-discovery, e.g., STUN (Simple Traversal UDP (UserDatagram Protocol) through NATs), server 22, a redirect server 24, adynamic DNS (DDNS) server 26, a DNS (domain name system) server 26, ahost computing device 165, a host computing device 16 ₆, a networkaddress translator (NAT) 14 ₁ and a NAT 14 ₂. The redirect server 24 andthe DDNS server 26 also have a direct connection independent of thepublic IP network 12, e.g., representing a shared database (not depictedin FIG. 1).

[0021] The network configuration 10 further includes a private network18 ₁ and a private network 18 ₂. host computing devices 16 ₁ and 16 ₂connect to the network 18 ₁ while host computing devices 16 ₃ and 16 ₄connect to the network 18 ₂.

[0022] For the purposes of subsequent discussion, it can be helpful tothink in terms of examples in which there is: an application, e.g., aweb browser 30, that runs on the host 16 ₅; an application, e.g., anHTTP server 29, that runs on the host 16 ₁; an input unit 100, aprocessing unit 102 and an output unit 104 in the relay server 20; anapplication, e.g., a listener 31, that runs on the packet relay server20; and an application, e.g., an HTTP server 80, that runs on the host16 ₆.

[0023] Hosts 16 ₁ and 16 ₂ are indirectly connected to the publicnetwork 12 via the NAT 14 ₁ and the private IP network 18 ₁. Similarly,NAT 14 ₂ indirectly connects the hosts 16 ₃ and 16 ₄ to the public IPnetwork 12 via the private IP network 18 ₂. hosts 16 ₅ and 16 ₆ aredirectly connected to the public IP network 12.

[0024] Network configuration 10 described above including the hosts,NATs and private IP networks is a non-limiting example of how thenetwork configuration 10 can be implemented in an embodiment of thepresent invention. Those skilled in the art will appreciate that anycombination of NATs, private IP networks, hosts and directly connectedhosts can be included in the network configuration 10. The difficulty ofusing a host shielded by a NAT is described next in the context of anillustration.

[0025] Host 16 ₁ can exchange IP packets with the public IP network 12through the NAT 14 ₁. The function of the NAT 14 ₁ is to allow hosts 16₁ and 16 ₂ to share a single public IP address. The NAT 14 ₁ assignsprivate addresses to the hosts 16 ₁ and 16 ₂. Such private addresses arenot visible to other IP devices connected to the public network 12. Forexample, the directly connected host 16 ₅ cannot readily send a packetaddressed to the private address of host 16 ₂ that was assigned by theNAT 14 ₁.

[0026] NAT 14 ₁ assigns private IP addresses to the hosts 16 ₁ and 16 ₂that are located “behind” it, i.e., the hosts 16 ₁ and 16 ₂ share thepublic or global IP address assigned to the NAT 14 ₁ plus each has(typically) a separate port number on the NAT 14 ₁. The combination ofan IP address and a port number is referred to as a transport address.In order to send packets to the host 16 ₁, the browser 30 on the host 16₅ can send the packets to the global IP address of the NAT 14 ₁ and theport number assigned to the host 16 ₅ if the browser 30 knows thisinformation . Then, the NAT 14 ₁ in turn forward the packets to theprivate address of the host 16 ₂. But, as a practical matter, thepresence of NAT 14 ₁ will not allow a typical client, e.g., the browser30, to directly access the HTTP server 29 on host 16 ₁, since thebrowser 30 is most unlikely to have the port number of host 16 ₁ thatwas assigned by the NAT 16 ₁. This problem is known as the NAT traversalproblem. To perform a NAT traversal, network configuration 10 accordingto an embodiment of the present invention includes additional elementsas described next.

[0027] After booting up, the HTTP server 29 running on the host 16 ₁performs a NAT-discovery process, e.g., a STUN test, to find out if itshost 16 ₁ is located behind a NAT. In the example of a STUN test, thehost 16 ₁ attempts to initiate a STUN session with the STUN server 22.Again, in the present example, the host 16 ₁ is located behind, i.e.,shielded by NAT 14 ₁. Hence, the STUN test session initiated by the host16 ₁ will indicate that the NAT 14 ₁ is present in the connectionbetween the host 16 ₁ and the STUN server 22.

[0028] After positively determining the presence of a NAT, the host 16,connects to the packet relay server 20, which is operable to receive andforward IP packets. host 16 ₁ initiates a TCP (Transmission ControlProtocol) session and sends a packet relay initiation request to theinput unit 100 of the relay server 20. Phraseology that has been used todescribe this arrangement is that, in response, the processing unit 102of the relay server 20 can run a TCP application known as a listener 31.

[0029] It is noted that the relay server 20 is similar in some respectsto an HTTP proxy server (not depicted) and an SIP type of TURN server(not depicted). An HTTP proxy server analyzes packet payload todetermine whether progress of a packet beyond the proxy server should beblocked or facilitated. In contrast, the relay server 20 ignores thecontent of the packet, i.e., the relay server 20 does not block packetprogress based upon the type of payload. The TURN protocol run by theTURN server, in contrast, generally supports a device (e.g., host 16 ₁)behind a NAT (e.g., 14 ₁), but specifically does not support the hostingof a server (e.g., HTTP server 29) by the host 16 ₁.

[0030] The output unit 104 of the relay server 20 returns to the host 16₁ a global IP address (namely, the IP address of the packet relay server20) and a port on which it (namely, the packet relay server 20 runningthe listener 31) will receive and send packets on behalf of the host 16₁. As is known, the packet relay server 20 assigns the address and portto the listener 31 dynamically. As such, the changing IP address andport must be tracked, as will be discussed below.

[0031] Hosts connected to the public IP network 12 such as the Internetcan send packets to the IP address and port number designated by therelay server 20 as the listener 31. The listener 31 in turn forwardssuch packets to the host 16 ₁ (by extracting the payloads from thepackets it receives, rewrapping with a new header identifying the HTTPserver 29 as the destination and forwarding the rewrapped payloads viathe NAT 14 ₁ to the HTTP server 29). Similarly, the host 16 ₁ can sendpackets to the relay server 20, and the relay server 20 can rewrap thepayloads and transmit them to the specific forwarding IP address givenin the packets. The relay server 20 provides a mechanism for the host 16₁ to indirectly obtain a global IP address (namely, an address on thepublic network 12) over which it can send and receive packets to/fromthe public network 12.

[0032] After obtaining the set of global IP address and port number fromthe relay server 20, the host 16 ₁ via the NAT 14 ₁ provides theredirect server 24 with the IP address and port number of the listener31. Then the listener 31 can redirect HTTP requests from the public IPnetwork 12 seeking the HTTP server 29 to the global IP address and portnumber of the listener 31 on the relay server 20.

[0033] Using the packet relay server 20, the host 16 ₁ can send andreceive packets as if it was directly connected to the public network12, as described above. However, any user/client of the HTTP server 30connected to the public IP network 12 such as the browser 30 will need amechanism to connect to the HTTP server 29 on host 16 ₁ via the packetrelay server 20. The HTTP server 29 on host 16 ₁ is assigned a FODN(again, a type of Universal Resource Locator (URL)), e.g., for thepurposes of discussion say “www.somenet.com,” which is staticallyassociated with a global IP address on the redirect server 24. Theredirect server 24 adaptively maps the FQDN www.somenet.com to thedynamic IP address and port number of the listener 31. Hence, when auser (not depicted) makes a request via the browser 30 to access theFQDN “www.somenet.com”, the request from the browser 30 will first bereceived by the redirect server 24. The redirect server 24 can usemultiple methods to redirect the HTTP request to the listener 31 on therelay server 20. Some examples of redirecting methods are describednext.

[0034] The redirect server 24 can redirect an HTTP request by providinga “splash page” (not depicted) to the browser 30 when a request toaccess the host 16 ₁ is made. A hyperlink can be provided on such a“splash page”, which (if clicked by the user) will transfer the user tothe listener 34 on the relay server 20. This further involves the userafter the initial HTTP request had been submitted. Alternatively, theredirect server 24 can automatically redirect the HTTP request to theTCP listener 34 on the relay server 20 using the “307 TemporaryRedirect” feature of the HTTP 1.1 protocol. The HTTP 1.1 temporaryredirect method can eliminate the need to show a splash page and elicita hvperlink click from the user of the browser 30. Further, acombination of splash page with an automatic JAVA-script-based redirectmethod can also be used. Via any of the above methods, the redirectserver 24 can transfer or redirect any HTTP request for the HTTP server30 on the host 16 ₁ to the TCP listener 31 on the relay server 20.

[0035]FIG. 2 is a sequence diagram of operations according to anembodiment of the present invention. FIG. 2 does not strictly conform tothe conventions of UML-type sequence diagrams. After booting-up, theHTTP server 29 running on the host 16, sends a message 70 initiating aNAT-discovery process, e.g., a STUN test. The message 70 is sent to theNAT-discovery server, e.g., STUN server 22, via the NAT 14 ₁. Theintervening role of the NAT 14 ₁ is indicated by the dot 72 at theintersection of the message 70 and the lifeline 74 of the NAT 14 ₁. Sucha dot convention will be used for other messages passing via the NAT 14₁. The NAT-discovery server 22 sends a return message 76 to indicate thepresence of the NAT 14 ₁ to the host 16 ₁.

[0036] Host 16 ₁ sends a message 32 to the packet relay server 20requesting it to open a listener 31. The packet relay server 20 sendsback a message 34 to the host 16 ₁ indicating the global IP address (ofthe packet relay server 20) and the port number (on the packet relayserver 20) assigned to the listener 31. The host 16 ₁ then updates theredirect server 24 by a message 36 to register the global IP address andport number of the listener 31 on the relay server 20. The redirectserver 24 will authenticate the message 36 and update its database toassociate the IP address and port number of the listener 31 with theFQDN (here, in the example, www.somenet.com) of the HTTP server 29.After the above initiation process is over, the user can access the,e.g., of the browser 30 on the host 16 ₅, HTTP server 29 running on thehost 16 ₁.

[0037] Harkening back to the example, it is to be noted that the browser30 on the host 16 ₅ is representative of any computer or IP-enableddevice connected to the public IP network 12 (shown in FIG. 1). When theuser of the browser 30 types in the URL (Universal Resource Locator),e.g., FQDN, of the HTTP server 29, the browser 31 on the host 16 ₅ sendsa message 38 to the DNS server 28 with the FQDN in order to obtain theDNS entry of the entered URL. The DNS server 28 sends back a message 40to the host 16 ₅ with the IP address of the redirect server 24. It maybe necessary for the DNS server 28 to communicate (not shown as amessage in FIG. 2) with the DDNS server 26 in order to collectivelyprovide the IP address of the redirect server 24 to the browser 30.

[0038] The typical browser 30 on the host 16 ₅ can then initiate an HTTPrequest to the IP address of the redirect server 24 on the default port80 (for HTTP protocol communications) via a message 42. The redirectserver 24 in turn checks its database to find a set of IP address andport number of the listener 31 on the relay server 20 that correspond tothe requested URL or URI (Universal Resource Indicator). In other words,the redirect server 24 maintains a mapping to port numbers on the relayserver 20, whereas the DNS 28/DNS 26 maintains merely the IP address ofthe listener 31/relay server 20. Upon finding a match, the redirectserver 24, as shown by a message 44, responds by redirecting the HTTPrequest of the browser 30 to the relay server 20 using any of theabove-described redirection methods.

[0039] Host 16 ₅ (as part of hosting the browser 30) then sends an HTTPrequest to the relay server 20 as indicated by the message 46 based onthe redirection IP address and port number received from the redirectserver 24. The relay server 20 in turn sends a message 48 to the host 16₁ with which it has maintained a live TCP session. Again, the relayserver 20 unwraps the payloads of the packets (not shown) it receivesthat are directed to the listener 31, re-wraps the payloads to indicatethe global IP address of the NAT 14 ₁ (which is also the global IPaddress of the HTTP server 29) and the port on the NAT 14 ₁ assigned tothe HTTP server 29, and forwards the re-wrapped packets to the HTTPserver 29 (via the NAT 14 ₁).

[0040] On the return side, the host 16 ₁ (as part of hosting the HTTPserver 29) will send a response to the packet relay server 20 as message50. Further, the relay server 20 transmits the response to the browser30 on the host 16 ₅. In more detail, the relay server 20 receivespackets sent by the HTTP server 29 whose destination is the browser 30,similarly rewraps the payloads as packets for the browser 30, and sendsthe re-wrapped packets to the browser 30. Thus, an HTTP session isestablished where the browser 30 on the host 16 ₅ can access the HTTPserver 29 on the host 16 ₁ even though the host 16 ₁ is located behind.the NAT 14 ₁, i.e., even though the NAT 14 ₁ is located between thebrowser 30 and the HTTP server 29.

[0041] Such NAT traversal is achieved above without the browser 30 onthe host 16 ₅ having knowledge of the private IP address of the HTTPserver 29 shielded by the NAT 14 ₁. No manual step or configuration isrequired at the host 16 ₅, i.e., on the user side of the HTTP accessoperation. Such transparent NAT traversal can be important if theaccessing device is a device, i.e., such as an IP phone, since it wouldbe difficult for a user to manually configure the whole process of NATtraversal. Again, such difficulty is due to the majority of users ofsuch devices, similar to the majority of browser users, notunderstanding the mapping of a domain name to a URL, much less theaspect of needing to designate a port as well as an IP address.

[0042]FIG. 3 is an association diagram between the Dynamic DNS (DDNS)server 26 and a redirect Server 64 according to an embodiment of thepresent invention. The redirect server 64 is similar to the redirectserver 26 of FIG. 1. The redirect server 64 includes: a user registrarunit 54; a user registration database 58; and an IP registrar unit 60.In a given network configuration 10 (see FIG. 1), it is possible thatthe HTTP server is not located behind a NAT. For example, host 16 ₆ isnot located behind a NAT. Further, a DDNS server 26 can be present thatassigns a dynamic IP address and port number to the host 16 ₅.

[0043] Alternatively, the unit 54, the unit 60 and the database 58 canbe hosted by a processing entity other than the redirect server 64. Forexample, the DDNS server 26 can host the database 58.

[0044] Internet Service Providers typically provide dial-up users with anon-static IP address that changes from time to time as users login andlogout. IP addresses also change for other known reasons, e.g.,expiration of a finite lifetime. The DDNS is used to overcome theproblem of a changing IP address. DDNS allows a domain name to beassociated with a changing, i.e., dynamic, IP address. DDNS takes careof directing the DNS to point to the currently updated dynamic IPaddress for a given domain name.

[0045] Where a given network configuration 10 includes a host (e.g., 16₆) that is not behind a NAT, the HTTP server (e.g., 80) on the host caninitiate a NAT-discovery process and will determine that no NAT ispresent in its connection path. The HTTP host 80 thereafter updates theredirect server 64 with its own dynamic IP address. In case the DDNSserver 26 is present in the system, then the step of updating theredirect server 64 can be eliminated, since the DNS server 28 will beable to resolve the dynamic IP address when a DNS query (e.g., message38 in FIG. 2) is received. A mechanism to make the NAT traversal workseamlessly in situations where a NAT may or may not be present for agiven host is described next.

[0046] Seamless network operation, either where no NAT is present in aDDNS environment or a NAT is present and there also is both a relayserver 20 and a redirect server 64 (that receives/provides an HTTPrequest/response as represented by a double-headed arrow 313, whichcorresponds to the messages 42 and 44 in FIG. 2), can be made possibleas described next. A user registrar 54 accepts online registrationrequests 310 from IP devices, for example, hosts running HTTP servers.User registrar 54 receives a message 56 from a user (not depicted) thatincludes a registration request 310 and updates a user registrationdatabase 58. Then, an IP registrar 60 receives a message 62 thatincludes an IP update 62. If the IP registrar 60 is able to authenticatethe IP update 311 of message 62, then it updates the IP address and portnumber associated with the registered user in the user registrationdatabase 58 and also information about the presence of the NAT.

[0047] The DDNS server 26 continuously tracks changes to the userregistration database 58. As soon as the DDNS server 26 detects anychange to the user registration database 58, it finds out about thepresence of NAT for the recent update. If a NAT is not present for therecently updated IP address and port number, then the DDNS server 26updates its internal DDNS lookup table(s) with the updated IP addressand port number. The DDNS lookup table(s) (not depicted) is searched byall DNS servers 28 for resolving DNS queries (represented by thedouble-headed arrow 312, which corresponds to the messages 38 and 40 inFIG. 2). If a NAT is present, then the DDNS server 26 registers the IPaddress of the redirect server 26 and port number. Hence, the userregistration database 58 provides a seamless mechanism for both type ofhosts, i.e., those that are behind NATs and those that are not behind(not depicted) NATs.

[0048] In case of a given host behind a NAT, the internal tables (notdepicted) of the DDNS server 26 would supply the IP address and portnumber of the redirect server 64. For the other situation, where a givenhost is not behind an NAT, then the DDNS server 26 can simply supply theIP address and port number of the particular host in response to a DNSquery, i.e., the redirect server would not be needed.

[0049] The description of the invention is merely exemplary in natureand, thus, variations that do not depart from the gist of the inventionare intended to be within the scope of the invention. Such variationsare not to be regarded as a departure from the spirit and scope of theinvention.

What is claimed is:
 1. A system for communicating over a Network AddressTranslator (NAT) connected to an Internet Protocol (IP) network therebeing a first host connected via the NAT to the IP network and a secondhost connected to the IP network that seeks to communicate with thefirst host, the system comprising: at least one relay server connectedto the IP network, the relay server being operable as a representativeof the first host on the IP network; and at least one redirect serverconnected to the IP network; the redirect server and the relay serverbeing operative, respectively, to cooperatively respond to an accessrequest, which is originated by the second host and targets the firsthost, by cooperatively facilitating establishment of an IP communicationchannel between the second host and the first host.
 2. The system ofclaim 1, wherein: the redirect server is operable to receive the accessmessage from the second host, and redirect the access message to alistener operated by the relay server; and the relay server is operableto relay the access message to the first host.
 3. The system of claim 2,wherein the redirect server is operable to redirect the access messageto the relay server using at least one of a splash page with a manualredirect, a splash page with an automatic redirect, a protocol basedautomatic redirect mechanism, and a splash page with a script-basedautomatic redirect.
 4. The system of claim 1, wherein the relay serveris operable, prior to receipt of the access request from the secondhost, to receive a packet relay request from the first host, and thenprovide a listener on behalf of the first host
 5. The system of claim 4,wherein the relay server is further operable to provide the first hostwith an IP address and a port number of the listener.
 6. The system forclaim 4, wherein the relay server is a packet relay server, and thelistener is a Transmission Control Protocol (TCP) listener.
 7. Thesystem of claim 1, wherein the redirect server is operable to receive anupdate as to an IP address and a port number of a listener on the relayserver corresponding to the first host.
 8. The system of claim 7,wherein the update received by the redirect server comes from the firsthost.
 9. The system of claim 1, wherein the relay server is operable torepresent an HTTP server being hosted by the first host and the IPcommunication channel is a Hypertext Transfer Protocol (HTTP) type ofconnection.
 10. The system of claim 1, wherein the IP network is theInternet.
 11. An apparatus for seamlessly communicating over an InternetProtocol (IP) network, the apparatus comprising: at least one DynamicDNS (DDNS) server; and a DNS lookup table including a direct transportaddress for a second host that is directly connected to the IP networkand a transport address which a redirect server associates with a firsthost that is connected via a Network Address Translator (NAT) to the IPnetwork, the DNS lookup table being associated with the DDNS server, theDDNS server resolving a DNS query using the DNS lookup table.
 12. Theapparatus of claim 11, further comprising: a user registration database,the DDNS server updating the DNS lookup table after sensing an update tothe user registration database.
 13. The apparatus of claim 12, furthercomprising: a user registrar connected to the user registrationdatabase, the user registrar performing online registration of a user toupdate the registration database; and an IP registrar connected to theuser registration database, the IP registrar updating a transportaddress of an authenticated user corresponding to one of the first hostand the second host.
 14. A method for facilitating communication betweena client connected to the IP network and a host connected via a NetworkAddress Translator (NAT) to the IP network, the method comprising:receiving at a relay server connected to the IP network, if a NAT ispresent in a communication path connecting the host to the IP network, apacket relay request originated by a source server being hosted on thefirst host; providing a relay response from the relay server to thesource server; and receiving, at a redirect server, update informationoriginated by the source server based upon the relay response, theupdate information being usable by the redirect server to facilitateestablishment of an IP communication channel between the client and thesource server.
 15. The method of claim 14, wherein the source server isa Hypertext Transfer Protocol (HTTP) server, the IP network is theInternet, and the IP communication channel is an HTTP type ofconnection.
 16. A method for facilitating communication between a clientconnected to the IP network and a host connected via a Network AddressTranslator (NAT) to the IP network, the method comprising: receiving, ata redirect server, an access request from a second host; forwarding theaccess request to a relay server; and transferring the access requestfrom the relay server to a first host; the receiving, forwarding andtransferring collectively facilitating the establishment of an IPcommunication channel between the first host and the second host. 17.The method of claim 16, wherein the access request is an HTTP requestthe IP communication channel is an HTTP connection, an HTTP server isbeing hosted on the first host and the second host is an HTTP client ofthe HTTP server.
 18. The method of claim 17, wherein the establishmentof the IP communication channel includes: receiving an HTTP responsefrom the HTTP server on the first host at the relay server; andtransmitting the HTTP response from the relay server to the second host.19. A method for seamlessly communicating over an Internet Protocol (IP)network, the method comprising: receiving a DNS query from an HTTPclient to a DDNS server; resolving the DNS query using at least one DDNSserver having a DNS lookup table, wherein the DNS lookup table includesa direct transport address for a second host that is directly connectedto the IP network and a transport address which a redirect serverassociates with a first host that is connected via a Network AddressTranslator (NAT) to the IP network; and generating a DNS response,wherein the DNS response using at least one of the direct transportaddress and the redirect server's address based upon the DNS query beingdirected to at least one of the first host and the second host,respectively.
 20. The method of claim 19, further comprising: updatingthe DNS lookup table with information from a user registration database,the user registration database including transport addresses and NATindicators for indicating presence of NATs for hosts similar to thesecond host.
 21. The method of claim 20, further comprising: registeringa user connected to the user registration database through a userregistrar; and authenticating an IP update from the user using an IPregistrar; and updating the user registration database with a transportaddress of an authenticated user, the transport address corresponding toat least one of the first host and the second host.
 22. A method forfacilitating communication from a client connected to the IP network toa host connected via a Network Address Translator (NAT) to the IPnetwork, the method comprising: receiving a packet relay request at apacket relay server connected to the IP network, the request coming fromthe host connected via the NAT to the IP network; and providing aresponse from the relay server via the NAT to the host that indicatesestablishment of listener on the relay server that will listen on behalfof the host for communication from the client to the host.
 23. Themethod of claim 22, wherein the host is operable for hosting an HTTPserver.
 24. The method of claim 22, wherein the listener is aTransmission Control Protocol (TCP) listener.
 25. The method of claim22, wherein the IP network is the Internet.
 26. A packet relay server,connected to an Internet Protocol (IP) network, for facilitatingcommunication from a client connected to the IP network to a hostconnected via a Network Address Translator (NAT) to the IP network, theapparatus comprising: an input unit to receive a packet relay requestcoming from the host connected via the NAT to the IP network; and aprocessor unit operable to generate a listener that will listen onbehalf of the host for communication from the client to the host, andprovide a response via the NAT to the host that indicates in IP addressand port number of listener.
 27. The packet relay server of claim 26,wherein an application hosted by the host, for which the listener isgenerated, is an HTTP server.
 28. The packet relay server of claim 26,wherein the listener is a Transmission Control Protocol (TCP) listener.29. The packet relay server of claim 26, wherein the IP network is theInternet.